Analysis Overview
SHA256
ac0fd3cfb2d109fe86e26b8278990027d09694dfd7cacfe15cb9c39e4cb4bfb8
Threat Level: Known bad
The file 2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 11:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 11:24
Reported
2024-06-11 11:26
Platform
win7-20240221-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xxuwuRU.exe | N/A |
| N/A | N/A | C:\Windows\System\DXhWcUu.exe | N/A |
| N/A | N/A | C:\Windows\System\iCDvSkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZDAjJF.exe | N/A |
| N/A | N/A | C:\Windows\System\gVKmeIB.exe | N/A |
| N/A | N/A | C:\Windows\System\CnxcxoI.exe | N/A |
| N/A | N/A | C:\Windows\System\KWHfLCn.exe | N/A |
| N/A | N/A | C:\Windows\System\MgBgwuG.exe | N/A |
| N/A | N/A | C:\Windows\System\aUETXhF.exe | N/A |
| N/A | N/A | C:\Windows\System\UfJizcA.exe | N/A |
| N/A | N/A | C:\Windows\System\NAclPnn.exe | N/A |
| N/A | N/A | C:\Windows\System\NOhjGNx.exe | N/A |
| N/A | N/A | C:\Windows\System\SQpWJCT.exe | N/A |
| N/A | N/A | C:\Windows\System\VLssnKC.exe | N/A |
| N/A | N/A | C:\Windows\System\CxUOtcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\McimbTL.exe | N/A |
| N/A | N/A | C:\Windows\System\WXHrfUf.exe | N/A |
| N/A | N/A | C:\Windows\System\UpxLhZi.exe | N/A |
| N/A | N/A | C:\Windows\System\EtSEFum.exe | N/A |
| N/A | N/A | C:\Windows\System\UWxixaq.exe | N/A |
| N/A | N/A | C:\Windows\System\zKLmSqu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xxuwuRU.exe
C:\Windows\System\xxuwuRU.exe
C:\Windows\System\DXhWcUu.exe
C:\Windows\System\DXhWcUu.exe
C:\Windows\System\iCDvSkJ.exe
C:\Windows\System\iCDvSkJ.exe
C:\Windows\System\ZZDAjJF.exe
C:\Windows\System\ZZDAjJF.exe
C:\Windows\System\gVKmeIB.exe
C:\Windows\System\gVKmeIB.exe
C:\Windows\System\CnxcxoI.exe
C:\Windows\System\CnxcxoI.exe
C:\Windows\System\KWHfLCn.exe
C:\Windows\System\KWHfLCn.exe
C:\Windows\System\MgBgwuG.exe
C:\Windows\System\MgBgwuG.exe
C:\Windows\System\aUETXhF.exe
C:\Windows\System\aUETXhF.exe
C:\Windows\System\UfJizcA.exe
C:\Windows\System\UfJizcA.exe
C:\Windows\System\NAclPnn.exe
C:\Windows\System\NAclPnn.exe
C:\Windows\System\NOhjGNx.exe
C:\Windows\System\NOhjGNx.exe
C:\Windows\System\SQpWJCT.exe
C:\Windows\System\SQpWJCT.exe
C:\Windows\System\VLssnKC.exe
C:\Windows\System\VLssnKC.exe
C:\Windows\System\CxUOtcJ.exe
C:\Windows\System\CxUOtcJ.exe
C:\Windows\System\McimbTL.exe
C:\Windows\System\McimbTL.exe
C:\Windows\System\WXHrfUf.exe
C:\Windows\System\WXHrfUf.exe
C:\Windows\System\UpxLhZi.exe
C:\Windows\System\UpxLhZi.exe
C:\Windows\System\EtSEFum.exe
C:\Windows\System\EtSEFum.exe
C:\Windows\System\UWxixaq.exe
C:\Windows\System\UWxixaq.exe
C:\Windows\System\zKLmSqu.exe
C:\Windows\System\zKLmSqu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3068-0-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/3068-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\xxuwuRU.exe
| MD5 | 2dd6d8299ff304862a4cbe348d3ae9cd |
| SHA1 | 6c41dec3b3ea19f654b31ddf5edb833569a626c6 |
| SHA256 | ccf7935464ddfc0d12098fae4120ce2bdc2b28986377e56c66f2d50db0e0e12d |
| SHA512 | 7f0ae4dc59262738ff3fc9f406aa4f64bad9f1559f54068b4eaee0065c487561db4bcf313197472dd822692f05baf137b981280910d28cee456b903187e26a0e |
C:\Windows\system\DXhWcUu.exe
| MD5 | 0b543d7e77bdb9e7c31e53877c5f61f5 |
| SHA1 | a0d40ef3b442d6c3a6add3c7b8765bb45344312b |
| SHA256 | dda099f0fc6b042bb5a782703522d3e99a54109dd2035bb70a78dec8b7d8ad61 |
| SHA512 | beeb20d9d59f53d5c54c9c0d88d28db98c499eaca7909b9a5ec5ffa0eb72fb56998f4ba449fab634793f1972c42ca7ec8664ec68c51bb1cc5507ca47e4e42d7c |
memory/3068-14-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2500-15-0x000000013F200000-0x000000013F554000-memory.dmp
memory/3020-12-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\iCDvSkJ.exe
| MD5 | dab575d6e2c4e3cf44cb89c20144f3b8 |
| SHA1 | b0548777fc6de584c13956f383432880ba362db7 |
| SHA256 | b4cb7ce43dbd04e9346ca1ea26ce788174e81001bf330afd5526955e48ed712f |
| SHA512 | e1b7297f9c4a38e9b2e4fd391fc8f8fae343e3902aecfbe47fa6cebc3314d287044df268ac2155d0c51adf5a55ad213b3af389df14bf7d2eefdd060eac5ba8ba |
C:\Windows\system\ZZDAjJF.exe
| MD5 | a8cad41f327ade97e5f21b22cdf3b2bb |
| SHA1 | e817f94d4ae6002ed98b736f4008088210874581 |
| SHA256 | ad663d764bae06d8944169045b6499af139097b0b08f1cd35d5e33daab5a28c4 |
| SHA512 | 7622b81d039e5d5d89b70653e90b838926ddd6a0d05bda9d68591667c210fa81779078cb2d11299d5e0a8e90767cd1bd93263be75f4dbefe74ef78759580bebb |
memory/3068-28-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2684-29-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\CnxcxoI.exe
| MD5 | 1dbb2134c6a100fdfbe64d876f975ae7 |
| SHA1 | 3ec50fb1d39f284d311f763c4ef13a10722fff4c |
| SHA256 | aaef1ebb49d568e91524386ba8f0952cb98e086b96bb2deaf5cb632c2cf4c6a8 |
| SHA512 | 9671f3075a43214176a882195ba44b17f28a1acb6c30daf6298217d8fb41429e769b6cba2a548c771293f6d2bd94feec48ba110c8e9bee2468e17796d0f4fc15 |
memory/2568-40-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2412-35-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/3068-34-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\gVKmeIB.exe
| MD5 | 522ce300f8b1d46df762fe8ee5177cfc |
| SHA1 | 7af34431582010333cff5f1d7b299199277e0771 |
| SHA256 | f96a62d5f2274f750784d40c6fc88966050a7e169d78b9c68f4e8b0c4ef64e87 |
| SHA512 | 9dba85dfde0fd979cf120f3c993a3c4aec5d0dcfde23849e35e3cd9130f13fd2465f307607dbe43b9c865621391734d6c60b22a9d6ad52dda7d84fbef85a111d |
memory/3068-39-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2512-22-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/3068-21-0x000000013F0E0000-0x000000013F434000-memory.dmp
C:\Windows\system\MgBgwuG.exe
| MD5 | e003f2f57b871cad7d3d7274bad12dde |
| SHA1 | 9d10ed7bcb62a282fdc7a2c7ef0df50c46e8b6a6 |
| SHA256 | 4bfb3e537c5d69eb28cfced3c9b4ec7c6f9aa6db682c4b03e545f765673ac12e |
| SHA512 | f4809938a5a19c7619dc0bf56ac7c7bd2282439b3b82345129817714033afb7f61d1d706184e648fa3879cae182794aed357b4bb749d86d20cd3c13c1d16ab1f |
memory/3068-54-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2364-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp
C:\Windows\system\aUETXhF.exe
| MD5 | f75b7b9094e810a51575c29bbfb19ebb |
| SHA1 | d3f8338613173a6a41503db21f51c83781337046 |
| SHA256 | 69dfba597b644e8a0557cb6780e260f66574d08a54f9a753adde8d1c6cf4d49d |
| SHA512 | 34d059402658e847950cb88559904478255de9e30a621fa45a5150398b674bc25e567adac0ec8e3c82e6e88d0c9de183289bfd15d521eae1952f98accaaf1d76 |
\Windows\system\UfJizcA.exe
| MD5 | e1742ec7685a1413cff90036a2611a3b |
| SHA1 | 14ef5338ff598e5ebbcb6c73629239c9d215757f |
| SHA256 | bdb67d58a300496385feb73a5460f44af63fabbf760ba58c265efb1475291eda |
| SHA512 | a674047082195653241507e88c00fe6b5779af260b9659e9adc4ab54489ba813f0e804bb809fc3a0df2bcfcda17fb4f7cfd08ab478a87901127af522e53933ce |
memory/3068-69-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2452-70-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\NAclPnn.exe
| MD5 | f45ad7a36f6b4d0f3670a407bdee7be7 |
| SHA1 | 0bef34dc9f83436d491d921d608e4f3d1f7bceeb |
| SHA256 | 7e8ba3ef67d94f91f4119a50a36806101c36037841ad59a0557002a62439759c |
| SHA512 | dc0defcbe305eaf37945cca4612f23f248d359251cd5f4e78d584f5144258bdb6fbc6ab7a7c149b17aecb34010ac1de7a880343fffff5191575e1bb5dc045271 |
C:\Windows\system\SQpWJCT.exe
| MD5 | 0df113c56ddfbb89f16b057e2691880f |
| SHA1 | f4d2d0a362311111fe1cd9607d5a23214bf6d40e |
| SHA256 | aca03e3a24d1a3175d17347a33f7eaf695ffe4af405bed8b80011c57ad8b0b7f |
| SHA512 | 242c9a42f602f85795af185e45c6bceea562e7ecda38c206c375c3d088327ce370bf647095238e525f3ed922ff4666f191f140007fe610718a0fc1569b3eb646 |
C:\Windows\system\UpxLhZi.exe
| MD5 | 183e3dc97062dd327482f6c89514a1e6 |
| SHA1 | 4c5e91e2cb1fc29d888ceb2d1e0aefcea8484a7c |
| SHA256 | 407b0ba7352cd1fcc09ef2000982f87c05865b2741aa9f59718d88cbbb88bf96 |
| SHA512 | fda4e206351b1c7e135c6d82b005cce965ac53e7dc712d9e0f8bddc2ae7fb4fab26d4f0f9d8db104bc48f9d00c02825e769816a631305eb14a6aa93aae66b7a4 |
\Windows\system\zKLmSqu.exe
| MD5 | 2ef37d1833f2c68017551a035fbc0c76 |
| SHA1 | 4ebd717fef82fc2721c92151f2a23975e146bb75 |
| SHA256 | f94bdfe13e2f8920dc7424aa5d66645ccf6900eacc867810ccb06d36a503bd52 |
| SHA512 | 3054e45df88b02b00373003e3a685c568ffd9a848564d69dc8b089e7cd3995727d34f1e23e399cef821071575946391d210d8bc874f9624e195c20600b78f91e |
C:\Windows\system\UWxixaq.exe
| MD5 | 7f9cf1c2267064530d192b9fbc7f3889 |
| SHA1 | 33c87b210c8dcf3279b69fa31afdba2cf99d3876 |
| SHA256 | 773b628577a198176274f0d4b80ffd6b3d2c33711970e8f6a716bb930ecad7ee |
| SHA512 | b6ea972a3fa6d7cb1f2f984092bac0be8978f63c446f09f4df13b00de27e39b905dfefa89d368a329fdc7ef4e8ff3d8330089ee295844bb932e2259ec331bb6b |
C:\Windows\system\EtSEFum.exe
| MD5 | b5304f6fd51b0b48dbae2b1c8e538e15 |
| SHA1 | 0751e8ec4829823739df4c8df55521f33f545d0e |
| SHA256 | ca23281777306918e4a1bba4d3481756b413be1859540a61f170a233892da7ab |
| SHA512 | 0d62c9a80c716bd8022c1085f8289f65e9349cfd3309f5e3f55d65b76d788054a1c7767000da9642f01d74800312fb39937ec46a7e462dd9789258a46b9cd3a7 |
C:\Windows\system\WXHrfUf.exe
| MD5 | dd02fbe8615250b8e6bc5e3f77ae9979 |
| SHA1 | 6eed8b67e62952f42ea5347e773ee534a52a2c88 |
| SHA256 | f297cc9e46d4f1598578095478d865daa621ab2261800c3ebfa2fdb1812fd6bc |
| SHA512 | 18e1208cff925d207bbb4a3000a6cbb361ec83a007038d1998e253966d2afd8e056844716676ed519c80d532d357f82c7a19e9cf8dcec337b269830f60665ad0 |
memory/3068-104-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\CxUOtcJ.exe
| MD5 | 082221b97d86e6fabe5f9154c530caba |
| SHA1 | ba757c8c47ff7700f26307f29cebfe8b7ab024a7 |
| SHA256 | 5778b24f8a9aaa0e19d9b142efa928677d49f8c6111cbe076a74cd23661047b0 |
| SHA512 | e64499f738a3466bc68093eea5c51b8d881b5883f3956e0e483e50932f8137a43ca698f615858e6e6f262bef3bcb9a04263567ab0c9da1e80e02a3abde18e1dd |
C:\Windows\system\McimbTL.exe
| MD5 | 8d023437f9c167c91a736b75ae6bf8f4 |
| SHA1 | efb432afd314bdf258229dadc8b61265858b3179 |
| SHA256 | d15a9b297a856181f28174377c1d1a42c05c4d3cacf0a191409d31e9c331513f |
| SHA512 | 869105aea731e3f023c6d25ce2d6f494ae06cf058488aa1d6dce886f814dfd8be154060a505ca1f788f7a945a1b8fee336f53b1c762e775019a8b812e5f08bed |
memory/2464-98-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/3068-97-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2568-96-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2816-89-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/3068-88-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2412-87-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\VLssnKC.exe
| MD5 | a9d9e6d7eebc6ae34b1051b2f71e9e86 |
| SHA1 | aabb7187bf0286acf39f5ac49f493555dbb4f06f |
| SHA256 | 1795aa9dd70fc63543471f1767e620ed7591ddceafb1468388c8da5e812fe862 |
| SHA512 | 2c3ecb3b994c98c46bca4716d6dcb8297f0ccfd8ab186feccaf6e2c1f91d9a8d39fd683158eaf7f883a95ed6dc56158dc9dda95098454bc8db462ccb0a45c060 |
memory/2768-82-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/3068-81-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2772-75-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\NOhjGNx.exe
| MD5 | 3568dd784a026e96c3a2cac344c2420b |
| SHA1 | 4373577574fa081dcb5a31088291e079bf175d4b |
| SHA256 | dd5e3655e9ace65bdce8819fdc55f1e6d30519e1808548e536b522e1586a776b |
| SHA512 | 7d9e06f1795470716d9e3c32376856796f05d5e03c076ef05d81494c226d702705a9a59456b11faee3089756f903aa911849f6b9696d12eff02bfc67c5726b43 |
memory/3020-68-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/380-61-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3068-60-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/1504-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\KWHfLCn.exe
| MD5 | 90eab85d124ae2413d56163bb84a85bc |
| SHA1 | dd2970a8fd042d61271a0ea725c55487e8315d72 |
| SHA256 | 8f566be213ffa46bc3d43039ff47b3320954a3923dca01da073e55d6cb509a94 |
| SHA512 | 411c37e0fe664bf9d9d6a282a7e89c105f7decbfd59d300e4bdaafa0ea98c070702c516e4235b8237a3bb7071ab871fbba94275558dec445fc9a8d26a0cbe5f3 |
memory/380-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/3068-137-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2772-138-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2768-139-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/3068-140-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2816-141-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/3068-142-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2464-143-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/3068-144-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2500-145-0x000000013F200000-0x000000013F554000-memory.dmp
memory/3020-146-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2512-147-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2684-148-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2568-149-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1504-150-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2364-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/380-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2452-153-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2772-154-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2768-155-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2816-156-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2464-157-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2412-158-0x000000013FF40000-0x0000000140294000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 11:24
Reported
2024-06-11 11:26
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AiWbEsM.exe | N/A |
| N/A | N/A | C:\Windows\System\QOaeeDj.exe | N/A |
| N/A | N/A | C:\Windows\System\RmmabvM.exe | N/A |
| N/A | N/A | C:\Windows\System\zZhLwlr.exe | N/A |
| N/A | N/A | C:\Windows\System\wEHhAqw.exe | N/A |
| N/A | N/A | C:\Windows\System\EFbQTWU.exe | N/A |
| N/A | N/A | C:\Windows\System\MHEPDso.exe | N/A |
| N/A | N/A | C:\Windows\System\fnmctxb.exe | N/A |
| N/A | N/A | C:\Windows\System\UEviDzH.exe | N/A |
| N/A | N/A | C:\Windows\System\gOSrAgc.exe | N/A |
| N/A | N/A | C:\Windows\System\jUIKCih.exe | N/A |
| N/A | N/A | C:\Windows\System\Nocamvg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYNilIF.exe | N/A |
| N/A | N/A | C:\Windows\System\pYxWBhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BdFLprk.exe | N/A |
| N/A | N/A | C:\Windows\System\VAPqiDG.exe | N/A |
| N/A | N/A | C:\Windows\System\mfNaIpK.exe | N/A |
| N/A | N/A | C:\Windows\System\RlcTpyn.exe | N/A |
| N/A | N/A | C:\Windows\System\pSSRwND.exe | N/A |
| N/A | N/A | C:\Windows\System\jPfMlXv.exe | N/A |
| N/A | N/A | C:\Windows\System\KDTBZBT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AiWbEsM.exe
C:\Windows\System\AiWbEsM.exe
C:\Windows\System\QOaeeDj.exe
C:\Windows\System\QOaeeDj.exe
C:\Windows\System\RmmabvM.exe
C:\Windows\System\RmmabvM.exe
C:\Windows\System\zZhLwlr.exe
C:\Windows\System\zZhLwlr.exe
C:\Windows\System\wEHhAqw.exe
C:\Windows\System\wEHhAqw.exe
C:\Windows\System\EFbQTWU.exe
C:\Windows\System\EFbQTWU.exe
C:\Windows\System\MHEPDso.exe
C:\Windows\System\MHEPDso.exe
C:\Windows\System\fnmctxb.exe
C:\Windows\System\fnmctxb.exe
C:\Windows\System\UEviDzH.exe
C:\Windows\System\UEviDzH.exe
C:\Windows\System\gOSrAgc.exe
C:\Windows\System\gOSrAgc.exe
C:\Windows\System\jUIKCih.exe
C:\Windows\System\jUIKCih.exe
C:\Windows\System\Nocamvg.exe
C:\Windows\System\Nocamvg.exe
C:\Windows\System\ZYNilIF.exe
C:\Windows\System\ZYNilIF.exe
C:\Windows\System\pYxWBhQ.exe
C:\Windows\System\pYxWBhQ.exe
C:\Windows\System\BdFLprk.exe
C:\Windows\System\BdFLprk.exe
C:\Windows\System\VAPqiDG.exe
C:\Windows\System\VAPqiDG.exe
C:\Windows\System\mfNaIpK.exe
C:\Windows\System\mfNaIpK.exe
C:\Windows\System\RlcTpyn.exe
C:\Windows\System\RlcTpyn.exe
C:\Windows\System\pSSRwND.exe
C:\Windows\System\pSSRwND.exe
C:\Windows\System\jPfMlXv.exe
C:\Windows\System\jPfMlXv.exe
C:\Windows\System\KDTBZBT.exe
C:\Windows\System\KDTBZBT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2572-0-0x00007FF642A20000-0x00007FF642D74000-memory.dmp
memory/2572-1-0x000001E6545F0000-0x000001E654600000-memory.dmp
C:\Windows\System\AiWbEsM.exe
| MD5 | e4225b1e690ed061faf4de88bd8edb7e |
| SHA1 | 5f06b843235c667f6a7f78d702b2ab5946b223ce |
| SHA256 | 37f738a691bcc48c3d00d3c199e6c930030f9d78654bbeb3fa8e0cc959f51e85 |
| SHA512 | aa70143cc5f7309b4ffaca52b2128e75933c0264b76aefca406fe79110cdc9de983c2ecd6238077ecf9df7c43a314e67978764d85779a0406b44059edafb65a2 |
memory/4252-8-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp
C:\Windows\System\QOaeeDj.exe
| MD5 | dffe949abc15285dd6b885e38a343578 |
| SHA1 | 7a71ea9673e8e197805f746c09c4e8638e4993f5 |
| SHA256 | 9a437dca12b9e773c2d3a23c38774ccefd49eba46d2479fbe973ae77d4e6c6cc |
| SHA512 | 2058ea09d65b0367326785c1681c26de3320526b4ffe2413fb8090420f53a5739ff4a55f9fa5c1c1ad9f7ef0348c65809056df525632f9d1a1d95ece5782d241 |
C:\Windows\System\RmmabvM.exe
| MD5 | 3ea206c1891ca177acacf6fbff270226 |
| SHA1 | 95a41a3d1b328b2d9db28fcf51d8ea42b5ea6135 |
| SHA256 | daacb19962e02f548921b4e5caf366ccf484c9bbffbcc98b7cffb073c4bb3a6d |
| SHA512 | b57ffd6e710275a551381b2f68c5c0452ee4591f931e8fb703fecef0690155b7c04e2a3facac1beff30f426c2e6f4bf0bfc2485e076b676fdaee03fb1a1b6b28 |
memory/1776-21-0x00007FF691100000-0x00007FF691454000-memory.dmp
C:\Windows\System\wEHhAqw.exe
| MD5 | 43c2564f9d67727847024f383ae307d7 |
| SHA1 | 0cd79a399fdf77edf2e737d3d8b2e6bda488285d |
| SHA256 | 88eaa650564508297df69411fe887f87bd5901ec2d2beb89a81f7472c40b2898 |
| SHA512 | 3415e105ab2a172df06690fb87b24950f3647856ad868b7a9a3d20b375bf0a475ac6158f511f70c83c65ff2670ecf9499c371030b39391b26388a7bd40491f56 |
C:\Windows\System\EFbQTWU.exe
| MD5 | 1d56fd03822fd848dc43aa48303be481 |
| SHA1 | 9a81c6da478abdfbf73a4bab97cb6ebdb024e18e |
| SHA256 | 8d54a94608a7630192a534cfdc118f0f23564b9bd524cccb64c2cfcbe192ae3e |
| SHA512 | aad5754226dfa97c503063d947a73d309d10b72eb42947fd20209594b60e5535ea0a41e8a88a24b68af23274f0c8ef25cbac844fc88948f0b68f1091c71c2fe7 |
memory/4776-34-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp
memory/864-36-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp
C:\Windows\System\MHEPDso.exe
| MD5 | dd259198aeaada4fd08e36e08b4377b2 |
| SHA1 | 93ee44768ad6f5d2ee03d99f13fcba8031db6661 |
| SHA256 | 318bc03efa63263bbcd44c78edca466eeca15cf1f45d533a315f61dd8e3af801 |
| SHA512 | b2d9a7f1a4844fcbf1e3e369289096f25732e909577acaf1dff90a053d747a4fbdc4ce06f1d6a88a08f571bb1b59043712b5e667683bf0ac7f226917493f07bb |
memory/4512-50-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp
memory/4564-52-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp
memory/5112-56-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp
C:\Windows\System\UEviDzH.exe
| MD5 | 9b2988d78b41b147a2a3812ef170783c |
| SHA1 | 9450f3ac9c60744a87b0cf66f0f7c96fd35f2cf6 |
| SHA256 | a764a24f5e408e17f377a7ad59743e723decadcfcba8d6e934e8bfe8c1c9cc33 |
| SHA512 | 9de0c1567a1a0affa513af3881ce98a237d0d106139e8eddae18886ccb24e63374b7aa4eca5894befd537c8236974a74b782efad283afb4c958eadbd72411571 |
C:\Windows\System\fnmctxb.exe
| MD5 | a8e1abec353d1e77d155433486f03fdc |
| SHA1 | 72d9f8169f023f2a444d4ff5fb9854f7c02547d4 |
| SHA256 | a03c413602febfb0699e18fff321707cb3bf469900588606146b519223ad0089 |
| SHA512 | 217bafbace0f447c47f48a5de4b080888291cca308fc9701d352b20be58d43b75abaf776b47607c45ff5b2b03188d01165c3f21d91ff6193cd636f0de3cc5745 |
memory/4648-31-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp
C:\Windows\System\zZhLwlr.exe
| MD5 | 05e35d0de9508f1382ede8b77cfad1cf |
| SHA1 | 0cdf1d94ca0b0e572ba35090ee0726ccb5da330c |
| SHA256 | 23e93c803831eb46206c398e5ce51297e8f4e8778531375851603dcea395b3dc |
| SHA512 | f69df2fb706762d909207b90add3fcc460c314111a0e0663e355c5813803bc72b82517d63d62110f4aa46a602dee829b4b8ec3805782fb578e61bbe9ea40e480 |
memory/844-26-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp
C:\Windows\System\gOSrAgc.exe
| MD5 | 9c9b0471eb5dc6dee9560bb0eaa31801 |
| SHA1 | 520f1625862aafa999a0b3d518a231604865f7f9 |
| SHA256 | c92e8e7ea8e7238b26eb7aa3fa5a83380fc14c994d21adfbcd32ea9448a81e0a |
| SHA512 | b6c242c5d0bcea30abfc60cafc11a57e9a637d8f5f65f1aefec9ef48e99d85cd0e7395ce4fd21bd085590c53548e1324a1e7cf740adb85f1b513a589411b1060 |
memory/2964-62-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp
C:\Windows\System\jUIKCih.exe
| MD5 | 88b2da1a4513e6b7626a5810a6be999b |
| SHA1 | 0f66b23d8973f54208a2b1bb4c8776b42910363f |
| SHA256 | ecc19ce63acb3949c00ad14819381219f27634e6fc79bc80ff274ebc43b04d8f |
| SHA512 | 5e7f6891ca5bc28318f4fa39bd7922bd8df6237a78e728955bb83ebc6392839176d5043a1d4e2f6c539043c84960d7dcc1448177b743c43e7f7fb4897e647610 |
C:\Windows\System\Nocamvg.exe
| MD5 | c02acc50bf2fb550e627c5c8602be445 |
| SHA1 | a35ebe33ef55b791eff6e5fbae828a03bc14f2ee |
| SHA256 | ac047fba19d368d119c873e4cf240eb53ee76e7f1f7dc5d262920cb498904223 |
| SHA512 | c5c1885bf65d7787096e89de94a676d8d24f201e89129dc873ec92aee2141e3efb8628f1722ce8948c824c266e2c5d6f11e33db9a5d50e2bab73078ded7b5d3a |
memory/3976-69-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp
C:\Windows\System\ZYNilIF.exe
| MD5 | e5a3cb21aaaabc329921b860d0ebba37 |
| SHA1 | d155938fbb6c0670a7c41afb1b89568caefa6377 |
| SHA256 | ceb0a05bf918a99a5e88fb1ee1b9514a12b13ea1c49acceb1ce0a5198d9d10c8 |
| SHA512 | ad7a5a6534bef3deb29c1f392bda3c8fedb2ad79f12ece168e7d338464820d5d786d3080fd236873ecc87c25d3adbfd2c6255b72ed5ba168870990fdf6f09028 |
memory/4492-79-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp
C:\Windows\System\pYxWBhQ.exe
| MD5 | 0e25912be1896bd2f800582d70e6693c |
| SHA1 | f31098502086051ab363f34a82bdf486ae0b380f |
| SHA256 | 9c1d626be1358072b0b8da30f369a3de522044c6ac0080efd15d9f926a9d1557 |
| SHA512 | 53c286bdd1c37e7549e8302153fe161dab371a4bdb5ab16db298edad5bd9ff97a7034fec183764228266318f5143a0b5f57b4e52cbcf8132eaffef65f87b0458 |
C:\Windows\System\BdFLprk.exe
| MD5 | a2b88b4f6d1a5ac49f10803ddacb9b42 |
| SHA1 | b808051e0bb568b31f0c3f87d985ac3ab96f9c86 |
| SHA256 | 705e7a609d21c09f78439d30d513a82daf8d1bac6774d1b3f768a6df06800186 |
| SHA512 | 90c991121af6a208661a503316432b7447d7cf67fb2a89fedd75634d22595828c02aa21688b48ecac92f8622fb9223153ba182f83110623f67d26febb69c2cae |
C:\Windows\System\VAPqiDG.exe
| MD5 | 841f098b7602e2f75f84556622ac2d5f |
| SHA1 | bbff70081ff91f1185063b94adb186b66de90011 |
| SHA256 | 9a6d2db4cb0c7e8108dbaec146278a9c0a2537e22588043ef94326363cbd3d35 |
| SHA512 | 4407aade1d1f2ef5339c307f9349cc580111532e5c341df113c287eeaf5c15209cf6f416ff91a20bb701f7edcd95e42bb5049970a0185479f38fe6a26682692d |
C:\Windows\System\mfNaIpK.exe
| MD5 | 20191237934407c68bb502aea54b8742 |
| SHA1 | b748c949c99044097ba462e4a025778c9cbdba9b |
| SHA256 | 41b9f0f081f026551bd013a0af315f3a1a0e737dba7e9d81453d4b5cc6f85815 |
| SHA512 | cce82bf3bc07ae5b9bbdbf186ec67ab4a00c8e00c704b21bc393fd24bee82c812795047187c7776c2c475246218ecdda4fc4e04814ee5cb6e7199fc5ff8b23e1 |
memory/2916-102-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp
memory/2340-103-0x00007FF747040000-0x00007FF747394000-memory.dmp
C:\Windows\System\RlcTpyn.exe
| MD5 | f9208ca14d15ee135e71bebe70ea7674 |
| SHA1 | efe2b190578fdae6b0a63836f8d8e6fe8a1f6a72 |
| SHA256 | 445a274a6c1476171bcb8e32b64a3fc918e665ff9324b1445a91afb9562eacb0 |
| SHA512 | 5132083a8915ec7499fcc392b2fc382801a5649f638c81bf280506f01fa6fa40dc073b4523f6a6f5b45d92650b7670cb138806b95bcc0b48f80098e3acba13fb |
memory/3036-101-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp
memory/244-99-0x00007FF615710000-0x00007FF615A64000-memory.dmp
memory/2200-86-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp
memory/2572-82-0x00007FF642A20000-0x00007FF642D74000-memory.dmp
memory/4848-111-0x00007FF764300000-0x00007FF764654000-memory.dmp
C:\Windows\System\pSSRwND.exe
| MD5 | d53950088b8e178b8bb5f0b15f700351 |
| SHA1 | ba06ea1e44efddf367e0bbecb692a7d4ddbbcb07 |
| SHA256 | 2b4a8b6cd8665046205d6e523bae930bc30575f39c9b5f8e8e5d06b132af8557 |
| SHA512 | d559d4bcd643b89f371c6b55329f7b49b84e43fac9cb91159ee678370e4fdb70fc29db13bf4fbb2e7d8b0b36b3f9ecdf5d2e2279841b63e3257b7d2ef5ad4a01 |
memory/864-116-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp
C:\Windows\System\jPfMlXv.exe
| MD5 | 9d5e9f1d118444924c613cd162357432 |
| SHA1 | 3883c56f4c3420fb863f7c2a5298fc0552a770ce |
| SHA256 | 84650dbdd26ee8766502d9eff5bccec2f6a0cd47f16b7dde8af17eb2fb74d23a |
| SHA512 | d746f65c28fe26b20619480f14092108276e26a84858909036a9a018e974237aa886fab320683a8cd59b0fdaf6ae484b51b6cdbc686528a4ff26e192aec5973a |
memory/4920-118-0x00007FF660DB0000-0x00007FF661104000-memory.dmp
C:\Windows\System\KDTBZBT.exe
| MD5 | e7d5b36e438b37de945e5d4a86ec4663 |
| SHA1 | 64cc4ba9062e06be3699552b9d388706b3cadf6d |
| SHA256 | 441c1ac5c32265ba679b6e05dfc1316d5947d6c7ee9c909ac4a5a6db592530f4 |
| SHA512 | e1666cd360bbe2f3b14273aaf9dbe3ddfd59a846db5026216f23d3e6f1cd6a874ec4d6addc6a15f3242c72ab82750b4c619e7af43944ab3a3cde238b8970db5b |
memory/1528-126-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp
memory/5112-125-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp
memory/4564-124-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp
memory/1324-131-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp
memory/3976-132-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp
memory/2340-133-0x00007FF747040000-0x00007FF747394000-memory.dmp
memory/4920-134-0x00007FF660DB0000-0x00007FF661104000-memory.dmp
memory/4252-135-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp
memory/1776-136-0x00007FF691100000-0x00007FF691454000-memory.dmp
memory/844-137-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp
memory/4776-138-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp
memory/4648-139-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp
memory/864-140-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp
memory/4512-141-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp
memory/5112-143-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp
memory/4564-142-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp
memory/2964-144-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp
memory/3976-146-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp
memory/4492-145-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp
memory/2200-147-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp
memory/244-148-0x00007FF615710000-0x00007FF615A64000-memory.dmp
memory/3036-149-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp
memory/2916-150-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp
memory/2340-151-0x00007FF747040000-0x00007FF747394000-memory.dmp
memory/4848-152-0x00007FF764300000-0x00007FF764654000-memory.dmp
memory/1528-153-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp
memory/4920-154-0x00007FF660DB0000-0x00007FF661104000-memory.dmp
memory/1324-155-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp